Wednesday, January 13, 2021

SolarWinds Attack and its implication for U.S. Security: Sabotage or espionage?

This article is by

Share this article

Article Contributor(s)

Vaishnavi Krishna Mohan

Article Title

SolarWinds Attack and its implication for U.S. Security: Sabotage or espionage?


Global Views 360

Publication Date

January 13, 2021


SolarWinds office in Texas | Source: Glassdoor

SolarWinds, a publicly listed Texas-based company with a value of more than $6 billion, has a very reputed customer list including multiple U.S. government agencies. The company develops softwares for businesses and agencies to help manage and monitor their networks, systems and  IT infrastructure. The company is a service provider to over 425 of the Fortune 500 companies, top 5 U.S. accounting firms, all major U.S. telecom providers, the U.S. treasury, several global universities and educational institutions, the NSA and the White House.

A set of hackers managed to sneak a malicious code into the software update of SolarWinds for a tool called “Orion”. Earlier, in 2020, the hackers had injected malware into the updates of Orion which were released between March and June of 2020. On 5th of Jan, 2021, the Federal Bureau of Investigation (FBI), Cybersecurity and Infrastructure security Agency (CISA), the Office of the director of National Intelligence (ODNI) and the National Security Agency (NSA) made an official joint statement stating, "an Advanced Persistent Threat (APT) actor, likely Russian in origin, is responsible for most or all of the recently discovered, ongoing cyber compromises of both government and non-governmental networks". U.S. government agencies like The Pentagon, National institute of Health, FBI, DHS, the Department of Energy and the Department of Veterans affairs were some significant users of Orion. In fact, in August 2020, the Department of Veterans affairs renewed its Orion license in a 2.8-million-dollar order. The Department of Veterans affairs has been heavily involved in COVID-19 relief.

The Orion hack began as early as March 2020. Over 18,000 customers had installed the compromised software which implies that these customers were vulnerable to spy operations throughout 2020. The malware inserted in the updates provided remote access of an organization’s network to the elite hackers. Since the malware was undetected for months, it gave the hackers an opportunity to obtain information from their targets. In fact, the hackers could also monitor emails and other internal communications. FireEye, the cybersecurity company who were the first to discover the breach describes the capability of the malware, from initially lying dormant up to two weeks, to hiding in plain sight by masquerading its investigation as “Orion Activity”. In 2016, Russian Military hackers used a method called “supply chain: to infect companies performing business in Ukraine with a hard-drive wiping virus called NotPetya. This attack is considered to be one of the most damaging cyber-attacks till date. The infiltration tactic used in the current hack is also identified to be similar to the “supply chain” method.

The Orion software framework contained a backdoor that communicated via HTTP to third party servers. Cybersecurity firm, FireEye has been tracking the trojanized version of Orion plug-in as SUNBURST.

FireEye Logo

FireEye described the use of SUNBURST backdoor on one of its blogs published on 13th December 2020. It stated,

“After an initial dormant period of up to two weeks, it retrieves and executes commands, called “Jobs”, that include the ability to transfer files, execute files, profile the system, reboot the machine, and disable system services. The malware masquerades its network traffic as the Orion Improvement Program (OIP) protocol and stores reconnaissance results within legitimate plugin configuration files allowing it to blend in with legitimate SolarWinds activity. The backdoor uses multiple obfuscated blocklists to identify forensic and anti-virus tools running as processes, services, and drivers.”

FireEye described the attack through the SUNBURST backdoor as “highly evasive”. Meanwhile, SolarWinds is facing a class action lawsuit filed by a stakeholder of the IT Infrastructure Management software company in the U.S. District Court for the Western District of Texas on 4th Jan 2021. The lawsuit is filed against SolarWinds’ ex-president, Kevin Thompson and chief financial officer, J. Barton Kalsu on the grounds of violating Federal Securities laws under Securities Exchange Act of 1934. The complaint states that SolarWinds Company failed to disclose that "since mid-2020, Orion monitoring products had a vulnerability that allowed hackers to compromise the server upon which the products ran". The complaint also mentioned that SolarWinds update server had a fairly weak and easily accessible password, ‘solarwinds123’.

Microsoft’s internal security research team found evidence that the same hackers had accessed some internal source code in their company’s systems. Microsoft mentioned that the attempted activities were beyond just the presence of malware SolarWinds code in their environment. Microsoft has “an open source like culture” which allows teams within Microsoft to view the source code. The company acknowledges that it is a threat model but they are downplaying the risk by saying “just viewing the source code should not cause any elevated risk”.

The Russian Hackers have also managed to breach the network of Austin City, Texas. The breach dates back to at-least mid of October 2020. The hackers have seemed to target the U.S. Treasury, Departments of Commerce and Homeland Security, The Pentagon, Cybersecurity firm FireEye, and SolarWinds. The breach of the network of the Austin city is an apparent win for Russian hackers. Theoretically, the compromise could have helped them access sensitive information in accordance with the city governance, elections, city police and by excavating deeper, the hackers can practically burrow inside energy, water and airport networks of the city.

Berserk Bear, the hacking outfit that is currently believed to be behind Austin’s breach appears to have used Austin’s network as grounds to stage larger attacks. Berserk Bear also known as BROMINE inter alia several names is believed to have been responsible for a series of breaches of significant U.S. infrastructures in the past year.

The attacks on SolarWinds, U.S. government and FireEye have been linked to another Russian group called APT29 also popularly known as Cozy Bear. Berserk Bear is allegedly a unit of Russian federal Security Service (FSB). Cozy Bear is known to be affiliated with the Russian Foreign Intelligence Service, or SVR. FSB and SVR are considered to be successors of the Committee of State Security of the Soviet-era which was widely known as the KGB.

The Austin Council seems to have been aware of the breach from October 2020. The FBI and CISA had published an initial advisory warning of “advanced persistent threat actors” (APTs) on October 9th, 2020. The advisory warned the city council of APTs targeting state and local governments. On October 22nd, a follow-up advisory was published in which both agencies accredited the breach to Berserk Bear. CISA published a heat map listing the types of organizations that were breached, scanned or targeted by Berserk Bear. The reputation of Berserk Bear of lurking fit their common pattern of espionage-oriented attacks. Sami Ruohonen, a researcher at Finnish cybersecurity firm F-Secure said that the adversaries have already been in the network for more than a couple of months before someone discovers their existence. Ruohonen also mentioned that this technique is specially preferred by APT groups because, the longer they go unnoticed, the longer they have a remote access to the network. F-Secure, in a report published in 2019, compared Berserk Bear and similar groups to the cyber equivalent of sleeper cells.

The cybersecurity experts have warned Austin city and the U.S that Berserk Bear hackers are not just involved in espionage and sabotage. They can gear up at any moment and create havoc in the United States. These Russian Hackers can cause city blackouts, disturbance in water supply and can even disrupt COVID-19 relief. Vikram Thakur, a technical director at Symantec who has tracked Berserk Bear for years quotes,  “We should be cognizant of the level of information that they have, turning on valves or closing valves, things of that sort — they have the expertise to do it.”

Kevin Thomson, the ex-CEO of SolarWinds | Source: SolarWinds Facebook

SolarWinds replaced their ex-CEO Kevin Thomson with Mr Sudhakar Ramakrishnan. Unlike his predecessor Thomson, who is an accountant by training, Ramakrishnan comes from a security background having led Pulse Secure in the recent past. The new CEO publicly stated that the company will be making 5 critical changes to put security front and center. The company also hired ex-CISA chief Chris Krebs and Facebook’s former security lead, Alex Stamos. Krebs and Stamos work as independent consultants to help the company coordinate its crisis response. Krebs told the Financial Times that it could even take years to uncover the full extent of the hack. On the brighter side, the new CEO mentioned that the company has engaged several cybersecurity experts to assist SolarWinds in its efforts to become more secure.  We can hope that, with better expertise, vision and understanding of threat and vulnerability management, the company is now headed towards a better future.

Support us to bring the world closer

To keep our content accessible we don't charge anything from our readers and rely on donations to continue working. Your support is critical in keeping Global Views 360 independent and helps us to present a well-rounded world view on different international issues for you. Every contribution, however big or small, is valuable for us to keep on delivering in future as well.

Support Us

Share this article

Read More

January 18, 2021 2:21 PM

The Toxicity in Video Games and Cyberpunk 2077

Cyberpunk 2077, the most awaited video game was released on consoles and PC on 10th of December, 2020. The game went under 10 years of build-up and had kept gamers waiting for over 8 years. Cyberpunk 2077 is inspired by a cult-favourite tabletop roleplaying game. The video game was designed by well-known Polish studio, CD Projekt Red. Cyberpunk was the studio’s first big console game since The Witcher 3: Wild hunt which was an extraordinarily triumphant game that won numerous awards after its launch in 2015.

The popular video game, when released, faced backlash from the gaming community and non-gamers for several reasons. To many observers and gamers, Cyberpunk 2077 even proved to be an absolute failure. Several gamers called out the game developers for the promotion of sexiest ideologies and transphobia. However, the reviews weren’t well received by the fans. Cyberpunk 2077 fans responded with unacceptable abuses, harrasing and hateful messages and even rape and death threats.

Keanu Reeves in Cyberpunk 2077

Cyberpunk 2077 released ample previews, trailers, motion pictures and marketing material. Aside from this, the appearence of popular Canadian actor, Keanu Reeves as a character in the game carved the expectations of gamers and promised a sexy and kinky world of futuristic and revolutionary action. CD Projekt Red, one of Europe’s most successful video game company announced Cyberpunk 2077 project in 2012 and released the first trailer in 2013

The game is set in an alternate timeline in the city of California. The streets in the game are owned by tyrannical corporations. Everyone in the game modifies their body with illegal technology. Much of the state in the video game setting is said to be suffering from the impacts of a major nuclear attack which happened years ago. Every player gets to be a cyber-enhanced human who has to fight against physical and psychological threats to their survival. The game character of Keanu Reeves comes in as your sidekick.

In 2018, the developers insisted and had assured the gamers that Cyberpunk 2077 would not include in game purchases. CD Projekt Red did not want to lock any content behind a paywall. The studio was also insistent that the game would come out only when it was completely “ready”. They announced that the release would take place in April 2020 but it was delayed multiple times due to the COVID-19 pandemic as well as other quality problems that the game was facing. When it was finally released in December 2020, gamers expected their experience of the game to be “worth the wait”. However, the video game wasn’t well revived by all. In spite of several months of work that went into making and developing the game, the game was launched with several technical issues. Players on both PC and consoles were having terrible experiences. As a result of multiple glitches and technical problems, the characters’ faces were obscured and the game would reset randomly. Some of the environments or areas of the game map was unappealing. The game even caused consoles to crash repeatedly and sometimes sacrificed players’ progress. One glitch led to characters’ breasts and penises being exposed. The characters’ genitals would poke out of their clothes. CD Projeckt Red offered refunds to players who were disappointed with the product. In fact, they updated a self-review discouraging gamers from playing the game on console until the game was fixed and improved.

Cyberpunk 2077 was roundly criticized by reviewers, game designers, industry insiders and other gamers across the gaming community. The wait and hype for the game had already created a fanbase which turned toxic by harassing reviewers who criticised the game.

There is another reason why the game wasn’t well received. Cyberpunk 2077 transphobia was apparent in the game contradicting the fact that the developers had claimed that the game was ahead of its time. The game has an incredibly detailed character creation menu. The players can control several aspects of their character’s appearance including the shapes and size of the genitals. The game even allows players to decline the option of including genitals to their characters. However, this isn’t the problem and is in fact appreciable. The idea of not determining gender by the character’s genitals in fact made many trans players happy. But this soon turned into disbelief and disappointment. The gamers realised that the game actually assigned the gender to the characters not based on their genitals but rather by the voice. Characters with higher-pitched voices were identified as females and characters with deep-voiced characters were assigned male pronouns. This purports the toxic idea that people’s gender can be determined by certain traits. A non-sexist video game would determine the gender of a player’s character based on an independent choice made by players themselves. This is uninfluenced by other physical traits or qualities.

Several reviewers called out Cyberpunk 2077 for promoting sexist ideologies. Unfortunately, toxic fans harassed the reviewers. “You just KNOW when you're going to get harassed. If the game with all the hype has anything wrong with it, and you're honest about that, or even just want to provide any context outside of ‘it's fun’, you're going to get harassed. It's a given.” These were precisely what Susan Arendt, a podcast host quoted. She even second guessed herself whether sharing her true opinions was worth the hateful, threatening and harassing messages that she received.

Controversial Tweet by Cyberpunk 2077 Twitter Handle

In the early days of arcade, gaming was a family activity. The popular male dominance and stereotype that only boys or men are good at video games were perpetuated in the past three decades. We observe this change due to sexualisation of video games. Today, most video games aren’t family friendly as they include explicit and sexual content. This, in fact, is a marketing tactic used by developers to target the male population. In 2018, a Cyberpunk 2077 fan who was awaiting the game at that point of time tweeted that the user wanted to see more from the “guys” at CDPR. In response to this tweet, CD Projekt Red tweeted, “Did you just assume their gender?!”. On the look of it, the tweet seems innocent but it is a joke at the expense of the trans community. After receiving backlash to the tweet, CDPR took it down and issued an apology staying sorry to “all those offended”. The apology seems like another targeted mockery and CDPR did no right by not taking responsibility for its actions.

Not only is Cyberpunk2077 transphobic and sexist, it is non user friendly as well. The game has several epilepsy triggers without any warnings about it. There are several instances and situations in the game where the effects and the graphics are brighter, louder and flashing. This is a general trigger for seizures. Liana Rupert, a player of Cyberpunk 2077 suffered a major seizure and at several moments felt that she was close to another one. After bringing this to the notice of CD Projekt Red, the company agreed to add trigger warnings wherever necessary.  

The gaming industry has definitely taken a few steps forward in terms of inclusivity of all genders but has also taken a few steps backward. While all genders are welcome, they still face harassment and judgement for simply existing in the community and need a lot more improvement.

Read More